Cybersecurity is increasingly becoming a topic for legislators, especially for the public sector, critical infrastructure, healthcare, education, the financial and insurance sectors.
In the US, in addition to several federal laws (HIPAA, HITECH, GLBA, SOX, FISMA, CISA), there are many state-level laws that impose some level of cybersecurity requirement (we have excluded the ones regarding election security in particular, as that’s a separate topic of discussion)
We have reviewed the US states legislation from recent years and compiled a list of successful cybersecurity legislation initiatives. They typically stipulate that a certain sector should build a cybersecurity strategy and implement basic cybersecurity norms. The legislation is technologically neutral (and rightly so), but in most of these cases typical cybersecurity tools like SIEM, Firewall, Antivirus and DLP are considered necessary to cover the requirements.
Below is a list of federal and state cybersecurity laws.
| Regulation | Affected sectors | State | More information |
|---|---|---|---|
| HIPAA | Healthcare | Federal | The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |
| HITECH | Healthcare | Federal | The HITECH Act encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules. |
| CISA | Any | Federal | CISA is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats and for other purposes”. https://whatis.techtarget.com/definition/Cybersecurity-Information-Sharing-Act-CISA https://www.lexology.com/library/detail.aspx?g=31bc698a-ec4d-4b9b-a8a9-46d893777a10 |
| FISMA | Federal agencies | Federal | The Federal Information Security Management Act (FISMA) was enacted to set security requirements for federal agencies’ information systems. FISMA’s goal is to ensure data and the systems that use the data have confidentiality, integrity, and high availability. https://www.sdxcentral.com/security/definitions/what-is-fisma-an-overview-of-the-law/ |
| GLBA | Financial | Federal | The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. |
| SOX | Any | Federal | Sarbanes-Oxley Act (SOX) protects shareholders and the general public from accounting errors and fraudulent practices in enterprises and improves the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements. |
| SEC Regulation SCI | Financial | Federal | The SEC designed Regulation SCI in response to securities markets being increasingly dependent on technology and automated systems. Under the rule, SCI entities must design, implement, test and maintain IT policies and procedures for their systems’ capacity, integrity, resiliency, availability and security. |
| AL S 54 | Insurance | Alabama | Relates to insurance; requires insurers and other entities licensed by the Department of Insurance to develop, implement, and maintain an information security program; provides for reporting to the Commissioner of Insurance, including the reporting of cybersecurity events; provides that information provided to the commissioner pursuant to this act would be confidential and privileged under certain conditions; provides for civil penalties under certain conditions. |
| AZ H 2177 | Financial | Arizona | Revises provisions relating to the Regulatory Sandbox Program, revises certain definitions, relates to temporary testing of innovation without otherwise being licensed, revises provisions relating to the application process and requirements, provides for financial products and services, requires the employment of cybersecurity measures to avoid breaches. |
| CA SB1386 | Any | California | SB 1386 went into effect on July 1, 2003. Under the law, covered parties must disclose any breach of the security of personal data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. |
| DE H 174 | Insurance | Delaware | Enacts the Insurance Data Security Act. Establishes standards for data security for Title 18 licensees and standards for the investigation of and notification to the Commissioner of a cybersecurity event affecting Title 18 licensees. https://news.delaware.gov/2019/08/01/insurance-data-security-act-signed-into-law/ |
| DE S 153 | State agencies | Delaware | Relates to information technology recommendations of the Government Efficiency and Accountability Review Board, establishes a statewide shared technology services model to facilitate digital government for citizens, increase efficiency, and control security risks.
|
| IL H 5547 | State agencies | Illinois | Amends the State Auditing Act provides that on a biennial basis, the Auditor General shall conduct a performance audit of state agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information, provides for the subjects to be assessed by the audit, provides for the issuance of an audit report. http://www.senchapinrose.com/News/1377/New-laws-going-into-effect-Jan-1/news-detail/ |
| IN S 362 | Utilities | Illinois | Relates to the regulation of new water and wastewater systems, provides that a water or wastewater utility that begins providing service to the public, after a specified date, is subject to the jurisdiction of the State Utility Regulatory Commission, provides for rates and charges, and other matters, for a specified period, beginning on the day on which the water or wastewater utility begins providing service to the public. |
| IN S 4 | Utilities | Indiana | Provides that a permit for the discharge from a wastewater treatment plant may not be issued unless the application contains a cybersecurity plan. Excludes the cybersecurity plan from public access. |
| IN H 1372 | Insurance | Indiana | Adopts the insurance data security model law, which requires certain holders of an insurance license, authority, or registration to maintain an information security program and meet other requirements. Establishes an affirmative defense to a tort civil action for a licensee that satisfies the requirements of the insurance data security model law. |
| LA S 46 | Any | Louisiana | Authorizes entities to monitor, share, and receive certain information relative to cyber threats, authorizes certain defensive measures, relates to certain security and information controls, provides for confidentiality of certain information. |
| LA H 614 | Insurance | Louisiana | Provides relative to data security for persons regulated by the commissioner of insurance. |
| LA S 140 | State agencies | Louisiana | Requires certain offices to report cyber incidents to the secretary of state. |
| MA 201CMR17.00 | Any | Massachusetts | Standards for the protection of personal information of residents of the Commonwealth |
| MI H 6491 | Insurance | Michigan | Enacts the Insurance Data Security Model law; establishes the exclusive standards, for this state, applicable to licensees for data security, the investigation of a cybersecurity event, and notification to the director. |
| MS S 2831 | Insurance | Mississippi | Establishes the Insurance Data Security Law, provides the purpose and intent of the Act, defines certain terms used in the Act, requires insurance licensees in this state to develop, implement and maintain an information security program, requires certain investigation of a cybersecurity event, requires certain notification of a cybersecurity event, provides for certain confidentiality, provides exceptions to the Act, provides for penalties for violations of the Act. |
| MO H 2120 | Utilities | Missouri | Establishes provisions relating to water safety and security. Provides that each community water system shall create a plan that establishes policies and procedures for identifying and mitigating cyber risk. The plan shall include risk assessments and the implementation of appropriate controls to mitigate identified cyber risks. |
| ND S 2110 | State agencies, Education | Nevada | Expands the powers and duties of the Information Technology Department to oversee cybersecurity strategy for all executive branch state agencies, including institutions under the control of the State Board of Higher Education, counties, cities, school districts, or other political subdivisions. |
| NH S 194 | Insurance | New Hampshire | Establishes the Insurance Data Security Law, updates and establishes standards for the protection of consumers’ non-public information, requirements for investigation of a breach and notification to the Commissioner and consumers in the event of cybersecurity breaches relating to consumers’ nonpublic information. |
| 23 NYCRR 500 | Financial | New York | А regulation establishing cybersecurity requirements for financial services companies. |
| SHIELD | Any | New York | The SHIELD Act’s obligations apply to “аny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York. https://www.natlawreview.com/article/new-york-shield-act-faqs |
| SC H 4655 | Insurance | North Carolina | Enacts the State Insurance Data Security Act; requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee’s risk assessment and to establish certain requirements for the security program; provides minimum requirements for a licensee’s Board of Directors, if applicable; requires a licensee to monitor the security program and make adjustments if necessary; provides that the licensee must establish an incident response plan; relates to reports. |
| SC H 4950 | State agencies | North Carolina | Makes appropriations. Requires all state agencies to adopt and implement cybersecurity policies, guidelines and standards developed by the Department of Administration. The department may conduct audits on state agencies except for public institutions of higher learning, technical colleges, political subdivisions, and quasi-governmental bodies as necessary to monitor compliance with established cybersecurity policies, guidelines and standards. |
| OH S 273 | Insurance | Ohio | Clarifies the definition of an insurance rating agency; requires each licensee to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment; relates to a domestic surplus lines insurer. |
| OK S 584 | State agencies | Oklahoma | Relates to public finance, relates to security risk assessments, establishes requirements for information security audit conducted by the certain firm under certain basis, requires Information Services Division to assist in repairing vulnerabilities, provides an exception for certain agencies subject to certain mandatory cybersecurity standards, requires submission of information security audit findings, modifies requirement for submission of findings within a certain time. |
| TX S 820 | Education | Texas | Requires a school district to develop and maintain a cybersecurity framework. |
| TX S 936 | Utilities | Texas | Revises provisions relating to the Cybersecurity Monitor Program for electric utilities, requires the Public Utilities Commission to contract with an entity to act as the Commission’s Cybersecurity Monitor, authorizes an electric utility, municipally owned utility, or electric cooperative to participate or discontinue participation in the Cybersecurity Monitor Program.
|
| 85R HB8 (Cybersecurity act) | State agencies, Education | Texas | The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems adds protections for student data privacy and updates the penalties for cybercrime. https://securityboulevard.com/2020/07/the-texas-cybersecurity-act-what-you-need-to-know/ http://www.txblc.org/wp-content/uploads/HB8-The-Texas-Cybersecurity-Act_4.20.17.pdf |
| TAC 202 | State agencies, Education | Texas | https://dir.texas.gov/View-About-DIR/Information-Security/Pages/Content.aspx?id=2 |
| UT H 41 | Utilities | Utah | Addresses water policies of the state outlines the water policies of the state, encourages state agencies to follow the state policy, addresses suits referencing the state policy, requires an annual review of the policy. |
| VA H 852 | State agencies | Virginia | Relates to the Information Technologies Agency, requires the chief information officer of the Information Technologies Agency to develop and annually update a curriculum and materials for training all state employees in information security awareness and in proper procedures for detecting, assessing, reporting, and addressing information security threats. |
| VA H 1334 | Insurance | Virginia | Establishes standards for insurance data security, for the investigation of a cybersecurity event, and for the notification to the commissioner of Insurance and affected consumers of a cybersecurity event, requires insurers to develop, implement, and maintain a comprehensive written information security program based on an assessment of its risk that contains administrative, technical, and physical safeguards. |
| WV H 2452 | State agencies | West Virginia | Creates the West Virginia cybersecurity office, relates to the cybersecurity of state government, removes the requirements of the Chief Technology Officer to oversee the security of government information, creates the Cybersecurity Office, provides that the Chief Information Security Officer oversee the Cybersecurity Office, authorizes the Chief Information Security Officer to create a cybersecurity framework, to assist and provide guidance to agencies in cyber risk strategy. |
Being compliant with these regulations either requires or benefits from having a SIEM. While SIEM is considered expensive and complex, LogSentinel is making it accessible to organizations of any size, so that they can cover their compliance requirements.
LogSentinel SIEM lets you monitor your systems for security events, alert you in case of potential breaches and provide you with compliance reports. More importantly, it helps you be more secure and therefore follow the spirit of those laws, not just their letter.
Are you looking for a solution to simplify cybersecurity and compliance? Request a demo today, and see how LogSentinel SIEM can help you to cover the federal and state cybersecurity laws applicable for your industry and location:
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.